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Abstract — In this paper the Output Statistics of Random Bin- 
ning (OSRB) framework is used to prove a new inner bound for 
the problem of secure channel simulation. Our results subsume 
some recent results on the secure function computation. We also 
provide an achievability result for the problem of simultaneously 
simulating a channel and creating a shared secret key. A special 
case of this result generalizes the lower bound of Gohari and 
Anantharam on the source model to include constraints on the 
rates of the public discussion. 

I. INTRODUCTION 

Output statistics of random binning [6| is a new framework 
for proving achievability results. In this paper we use this 
framework to extend the secure function computation of El 
for the case of two users, where two users are observing i.i.d. 
repetitions of X\ and X2 and would like to construct i.i.d. 
repetitions of Y = f{X\,X2) after interactively exchanging 
messages on a public channel. I.i.d. repetitions of the func- 
tion Y has to remain nearly independent of the messages 
exchanged. It was shown in [3 1 that this is possible if and only 
if H(Y) < I(Xi\X2). This work was further generalized in 
(4). We extend the achievability part of the existing results 
by assuming that there is an eavesdropper who has access to 
i.i.d. repetitions of Z. Further in our model the two party want 
to generate i.i.d. repetitions of Y\ and Y2 where Y\ and Y2 
are not necessarily functions of X\ and X2', they are jointly 
distributed with X\, X2 and Z according to some arbitrary 
p(yij y2\x%, X2)p(xx, X2, z). We demand a reliable generation 
of Y™ and Y 2 n meaning that the total variation distance 
between the pmf of the generated (Yf, Y 2 re , X?, X$, Z n ) and 
the i.i.d. pmf must go to zero asymptotically as n goes 
to infinity. Further, the public discussion must reveal no 
new information to Eve about an S n , created by passing 
(y?,Y£,X?,X% ,Z n ) of the code through n copies of the 
channel p(s\x\, X2, yi, yi, z). A special case of interest is 
when S = (Yi,^) meaning that we would like to keep 
the generated rv's hidden from Eve. In our model we further 
assume rate limited public discussion and a preshared secret 
key at rate Rq. Lastly we provide an achievability result for the 
problem of simultaneously simulating a channel and creating a 
shared secret key. A special case of this result generalizes the 
lower bound of Gohari and Anantharam on the source model 
[7 1 to include consttaints on the rates of the public discussion. 

The paper is organized as follows: in Section ITU we review 
the output statistics of random binning technique at some 
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length. In Section [TTT] we discuss our new inner bound for the 
secure channel simulation problem. In Section [IV] we discuss 
simultaneous simulation of a channel and generation of a 
secret key. 

Notation: All random variables are taking values in finite 
sets. We use [1 : r] to denote the set {1, 2,3,..., r}, Xg to 
denote (Xj : j £ 5) and p l J^ to denote the uniform distribution 
over the set A. Given a natural number i, (1)2 is 1 if i 
is odd, and is if i is even. The total variation between 
two pmf's p and q on the same alphabet X, is defined by 

\\p{x)-q{x)\\ 1 ^\Y. x W)-<l^)\- 

II. Review of Output Statistics of Random Binning 

To illustrate the main ideas behind the OSRB technique, 
we begin by two examples, each of which connects a source 
coding problem to a channel coding problem. Our discussion 
is at an intuitive level; see for a rigorous treatment. 

The first example connects Wyner's wiretap channel 13 
to the one-way source model key agreement problem JH. 
Consider the source model key agreement problem: Alice, 
Bob and Eve have access to i.i.d. repetitions of X n ,Y n and 
Z n respectively, disttibuted according to Yl7=i P{ x i,yi,Zi). It 
is known that the key rate I(X; Y) — I(X; Z) is achievable 
(when I(X; Y) - I(X; Z) > 0). To obtain this rate, Alice 
sends the Slepian-Wolf (SW) index of X" to Bob (at rate 
H(X\Y) + e) over a public channel. Then Alice constructs 
the key M by binning X n into 2"( / ( X ' y )- / ( x - z )- e ) bins (this 
binning is independent of the SW binning). If we denote the 
public message by B and the key by M, the following hold: 
both B and M are random bin indices of X n , and the key M 
is nearly independent of (B,Z n ). Thus there is an instance 
of B = b such that conditioned on B = b the following 
two properties hold: M is nearly independent of Z n , and Bob 
can recover the key M with high probability (conditioned on 
B = b). Since B is a function of X n , we have the factorization 
p(x n ,y n , z n \b) = p(x n \b)p(y n , z n \x n ). In other words condi- 
tioning on B = b only changes the marginal distribution of X n 
but leaves the channel from X n to (Y n , Z n ), i.e. p(y n , z n \x n ), 
undisturbed. Further p(m, z n \b) ~ p(m)p(z n \b) and Bob can 
almost recover M from Y™ conditioned on B = b. The 
joint distribution of these random variables (conditioned on 
a fixed B = b) can be used to consttuct a code for secure 
transmission over a wiretap channel p(y,z\x). We interpret 
M as the message to be transmitted. Since M is nearly 
independent of B, conditioning on B = b does not change 
its marginal distribution (thus it is still uniform over a set of 



size 2 ,l(7 ( X;r )~ / ( X;Z )- e )). Further conditioned on B = b, the 
message M is nearly independent of Z n and can be recovered 
from Y n . Lastly p(y n , z n \x n ,b) — p(y n , z n \x n ). This shows 
that the rate I(X; Y) — I{X\ Z) is achievable for the wiretap 
problem. It is not difficult to modify this proof to show that 
maXp(„ iX ) I(U; Y)—I(U; Z) is also achievable for the wiretap 
channel problem (and indeed this is the capacity region). 

Next, consider the problem of sending a message M of 
rate R over the channel p(y\x). The input distribution p(x n ) 
is uniform over the 2 nR codewords, thus it is not i.i.d. . 
However Shannon's idea of generating a random codebook 
makes the input distribution i.i.d. . Shannon noted that granting 
a preshared randomness between the encoder and decoder 
(denoted by B and independent of the message M) does not 
increase the capacity of the channel (see the top diagram of 
Fig. 1). However the encoder and decoder can use this com- 
mon randomness to generate an i.i.d. random codebook. Once 
the random codebook is generated at both the encoder and the 
decoder, a codeword is chosen according to the value of M 
and is transmitted over the channel. Thus we have an encoder 
X n (M,B) and a decoder M(Y n , B). Since the probability 
of error is the average of that over all realizations of B, one 
can find b such that X n (M,B = b) and M(Y n , B = b) 
form appropriate encoder and decoder. The input X n (M,B) 
is i.i.d., although X n (M, B = b) is not so. Now, note that the 
joint pmf Pm.b,X" = PmPbPx™\m,b can also be written as 
Px"Pm,b\X"- This is as if we generate an i.i.d. X n and pass it 
through a virtual reverse encoder Pm,b\x™ to generate M and 
B. This is depicted in the bottom diagram of Fig. 1 where we 
have changed the direction of arrows to reflect this change of 
order. In this interpretation we are starting from an i.i.d. X n 
and Y n according to Yli=i P( x ii Hi)- Random variable B is 
now a (public) message transmitted from the transmitter to the 
receiver. We can view it as the Slepian-Wolf message from X n 
to Y n . Once the decoder has recovered X n it can recover M, if 
M is a function of X n . Now we are ready to create the source 
coding counterpart. We take some arbitrary p(x) and generate 
n i.i.d. copies of X n and Y n according to p(x)p(y\x). We then 
construct B and M as random partitions (binnings) of X n . 
Random variable B is a SW index of size n(H (X\Y) + e). 
It enables the receiver to recover X n with high probability. 
Thus, the receiver can recover M. Next we see that in the 
channel coding side, M and B are independent and M is 
uniform. Thus we are looking for constraints that make bin 
indices B and M of an i.i.d. X n independent, and M uniform. 
It turns out that as long as log |Z? + log 1 < nH{X), 
rv's B and M are independent, and M is uniform. This 
holds for instance if \M\ < 2 / ( X;Y )~ 2e , giving us the rate 
I(X; Y) — 2e. To go back to the channel coding problem we 
look at the Px™,m,b imposed by M, B and X n . Next we 
take Px n \M,B an d use it m the channel coding setup of Fig. 
1. To get away with shared randomness B, we observe that 
we still have the property that p(y n \x n ,B = b) = p(y n \x n ) 
and p(m\B = b) ps p(m) meaning that X n (M,B = b) and 
M(Y n ,B — b) are legitimate choices as the encoder and 
decoder; we are done. 
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Fig. 1 . (Top) Point-to-point channel with preshared randomness B to generate 
a random codebook. (Bottom) The corresponding source coding problem: 
reversing the order of generating rv's in the box. 

Observe the secrecy flavor of the source coding side of the 
problem: we start from i.i.d. repetitions of X n ,Y n ; we can 
interpret B as a public message, and M as a secret key which 
is independent of B. This is an instance of the source model 
SK generation problem. 

The OSRB framework is a systematic way of converting 
channel coding problems into source coding problems (the 
above examples show how that can happen). The advantage of 
the conversion is that in the source coding side of the problem 
we only have one copy of the random variables, e.g. in the 
point to point example we start from a single i.i.d. copy of 
X n , Y n \ all the other rv's (i.e. M and B) are random bins 
of these i.i.d. rvs. However if we were to directly attack the 
channel coding problem, we had to create a codebook of size 
2 nR containing lots of x n sequences. This conversion is useful 
in problems involving multi-round interactive communication 
with several auxiliary random variables (e.g. the problem 
studied in this paper) where it is desirable to have just a 
single i.i.d. repetition of all the original and auxiliary random 
variable (rather than having many i.i.d. copies of these random 
variables related to each other through superposition or Marton 
coding type structures). Once we take a single i.i.d. copy, all 
the messages and preshared randomness (such as B) can be 
constructed as random bins of these i.i.d. rv's. Traditional 
coding techniques start with the messages and then create 
the many codewords. Here we are reversing the order by 
starting from a single i.i.d. copy of the original and auxiliary 
rv's, and constructing the messages as bin indices afterwards. 
And this can simplify representing the codebook construction 
and analyzing its probability of success. For instance while 
the traditional framework considers superposition coding and 
Marton coding as distinct coding constructions, in the new 
framework the two constructions are nothing but two different 
ways of specifying the set of i.i.d. rv's we are binning. Thus 
the new framework unifies the two coding strategies, for it 
only uses random binning. 

In the traditional framework we need to count the size of 
typical sets; this is generally done via covering and packing 
lemmas. However in the OSRB framework we need to find 
two sets of conditions: one set of conditions for Slepian-Wolf 
decoders to succeed and another set implying independence of 
certain random bin indices. Thm. 1 of [6] provides sufficient 
conditions for the latter. This change from counting typical 
sequences to working with output statistics of random binnings 



provides a framework to prove results under a strong notion of 
security conveniently. This is partly due to the fact that OSRB 
brings the randomness of random codebook generation from 
the background into the foreground as an explicit rv (e.g. B 
in the above example), or a set of rv' s. 

in. Secure Channel Simulation By Two Terminals 

We begin with the formulation of the problem without any 
secrecy constraints as in O: 

A. Channel Simulation with no secrecy constraints 

Assume that Alice and Bob observe i.i.d. repetitions of two 
random variables X\ and X 2 respectively, and would like 
to generate i.i.d. repetitions of rv's Y\ and Y 2 respectively. 
Random variables Xx,X 2 ,Y\,Y 2 are jointly distributed ac- 
cording to a given p(x[i:2])p(j/[i:2] \x[i-.2])- Alice and Bob are 
also provided with shared randomness at a rate i?o- The two 
parties can interactively talk to each other over r rounds as they 
wish; the only constraints are that the total communication rate 
from Alice to Bob is bounded from above by R\ 2 and the total 
communication rate from Bob to Alice is bounded from above 
by i?2i- The question is for which values of (Rq, Ri 2 , R 2 \) 
the pmf p(a;[i : 2] , Vyia]) can be asymptotically achieved; i.e. for 
every e > there is a sequence of (n, e) codes that results in 
P( x ?i-2]> y?V2]) sat isfy m g the following for large n 



P( X [l:2]^y[l:2]) ~ Y[p(x[1:2], 



,V[1:2], 



< e. 



(1) 



Remark 1 When Y\ and Y 2 are deterministic functions of Xi 
and X 2 , the problem would be that of finding two functions 
via interactive communication. 

Theorem 1 (Theorem 1 of [5|) The simulation rate region 
is the set S(r) of all non-negative rate tuples (Rq, R12, R21), 
for which there exists p(f[i- r ] \%[i:2] > U[i:2]) G T(r) such that 

R12 > J(X i; F [lir] |X 2 ), (2) 
-R21 > I(X 2 \ F[ 1:r ] \Xi), (3) 
Rq + R12 > I{X 1 -F [1 , r] \X 2 ) +I(F 1 ;Y [1:2] \X [1:2] ), 

(4) 

Ro + R12 + R21 > I(Xx;F [Ur] \X 2 ) + I(X 2 ; F [Ur] |Xi) 

+ I(F [1:r] ;Y [l:2] \X [1:2] ), (5) 

where T(r) is the set of p(f[ 1:r ]\x[ 1:2 ],y[ 1:2 ]) satisfying 

Fj— F< 1:i _iiXi — X 2l if i is odd, 
F i -F[ 1 . t _ 1 ]X 2 - Xi, if i is even, 
Y 1 -F [1:r] X 1 -X 2 Y 2 , Y 2 -F [1:r] X 2 -X 1 Y 1 . (6) 

Remark 2 The non-symmetric equation (|4|l is due to the fact 
that the region is for a finite r rounds of communication, with 
the first party starting the communication. The region would 
have been symmetric if the region was for infinite rounds of 
communication (i.e. r — > 00). 



To prove this theorem in 0, we take some arbitrary 
p(f{i:r]\ x [i:2]>y[i:2]) S F(r). We start from the source cod- 
ing side of the problem where only a single i.i.d. copy of 
(F™, • ■ ■ , F™, Xj". 2 j, Yj™. 2 j) is created. The messages to be 
communicated in each stage Ki, the preshared randomness 
variables Bi, and the actual real shared randomness w (of 
rate Rq) are created as bin indices of these i.i.d. variables 
in the following way: B\, K\ and u are bin indices of three 
independent binning of F". Rv's Bi and Ki are bin indices 
of two independent binnings of (F™, • • • ,F"). The alphabet 
sizes of u, Ki and Bi are 2 nR ", 2 nRi and 2 nRi respectively. 
Just as in the point to point case, there are going to be some 
constraints for the Slepian-Wolf decodings to work (similar to 
the point to point condition of Y n and B being sufficient to 
recover X n ), and some constraints for independence of the 
bin indices (similar to the point to point condition of B and 
M being nearly independent) to allow us reverse the encoders 
and go from the source coding side to our original problem. 
We report the list of these conditions from 0. 

1 ) Reliability of SW decoders: 

R 1 + R Q + R 1 >H(F 1 \X 2 ), 

R l +R l > H(F t \X (l+1)2 F [1 ., l _ 1] ) Vi G [2 : r]. 

where (i) 2 was defined at the end of introduction. 

2) Independence constraints: 

R Q + R 1 <H(F 1 \X 1 ), 

R t < H(F l \X il)2 F [1:l _ 1] ) V*e[2:r], 

i 

J2 R * < H(F [1:i] \X [1:2] Y [1:2] ) V* G [1 : r]. 

4=1 

A Fourier-Motzkin elimination on the above constraints gives 
the region given in Thm. Q] To intuitively understand the 
reliability of SW decoders constraints, note that common 
randomness uj, B\ and K\ are random bin indices of F™ 
created by Alice. Bob needs a rate of H(F\ \X 2 ) from Alice to 
decode F" (and use it to create F 2 for the next round). This 
corresponds to the first SW constraint. Other SW constraints 
are similar with Bi and Ki serving as the random bin indices 
of F™. 

The first two independence constraints ensure that 5r 1:r i, 
ui and ATj™. 2 j are mutually independent: the first condition 
implies that B\, uj and X'^. 2 ^ are mutually independent, and 
the second constraint implies that Bi is nearly independent of 
(-B[i : j-i], ui, XR.qi). To see this observe that the first indepen- 
dence constraint correspond to B\ and ui being nearly mutually 
independent of each other and of X™ (thus also independent 
of Xj". 2 j because of the Markov chain Ft — X\ — X 2 and 
the fact that B\ and to are bins of F"). The second inde- 
pendence constraint implies that Bi is nearly independent of 
F^^. Because Bi is a bin index of F™ and because 



of the Markov chain Fj — X^ 2 F[ 1 . i _i^ — Xr i+1 \ 2 , Bi will 
be nearly independent of XS.^F^.^^. Next since -B[i : j_i] 
and uj are functions of F'^ ^ Bi will be nearly indepen- 
dent of (-B[i : j_i], ui, Xr™. 2 ,). Finally, the last independence 



constraint implies that Bt 1:r i is nearly mutually independent 
of XTy. 2 iY^. 2 y Thus conditioning on a certain instance of 
B[\:r] = b[i :r ] does not disturb the joint pmf of -X"n-2] ^["2] • 

B. Channel Simulation with an eavesdropper 

We consider an eavesdropper (Eve) who is observing 
i.i.d. copies of Z, jointly distributed with X\, X^. We 
assume that Alice and Bob want to generate i.i.d. repeti- 
tions of Y\ and Y2 (within a vanishing total variation dis- 
tance) jointly distributed with X\, X2, Z according to a given 
p(x%, x 2) z)p(yx, y2\x%, x 2 ). Meanwhile they want to make 
sure that the public discussion reveals no new information to 
Eve about an S n , created by passing (F™, Y 2 n , X?, X™, Z n ) of 
the code through n copies of the channel p(s\xx,X2, yx,y2,z). 
We assume that Alice and Bob are provided with a preshared 
secret key of rate i?o- 

Public communications are rate constrained by i?i 2 and R21 
as before. The secrecy constraint is 

lim \I(S n ; Z n , K lt ■ ■ ■ , K r ) - nI(S; Z)\ = 

n— too 

over a sequence of codes where Kx, K2, K r are 
the messages exchanged during the r rounds of in- 
teractive communication. Observe that we are using a 
strong notion of secrecy here. A strong notion of secrecy 
demands a vanishing \I(S n ; Z n , Kx, ■ ■ ■ , K r ) - nI(S; Z)\, 
whereas the weak notion of secrecy demands a vanishing 
^\I(S n ;Z n ,K 1 ,--- ,K r )-nI(S;Z)\. 

The following theorem provides our result on the secure 
channel simulation. A slightly stronger version of this theorem 
can be found in |8|. 

Theorem 2 The set of achievable rate tuples includes 
all non-negative (Ro, R12, R21), far which there exists 
p{f[i-.r]i X[i:2],y[i:2], z , s) such that equations d2J- dSJ, the 
Markov constraints 

X[i:2], Z,Y[ 1:2 ],S ^ p{x [1:2 ], z)p{y [1: 2]\x [1 ,2])p{s\x [1 ,2]y[i, 2 ]z), 
Fi— F[i:i-x\Xi — X2Z, if i is odd, 
Fj— Fti. i _x\X 2 — X\Z, if i is even, 

Y x - F [1:r] X! - X 2 Y 2 Z, 

Y2 — F[i. r ]X 2 — XiYiZ, 

5-X [1:2] y [1:2] Z-F [1:r] (7) 

and the following additional constraint (for all i £ [1 : r]) are 
satisfied. 

I(F lui] ;SZ)+I(X 1 ;X 2 \F ll:i] )<R + I(X 1 ;X2). (8) 

Discussion. The above theorem implies the achievability 
part of the result of [3] in the case of two terminals. Consider 
the special case of Yx = Y 2 = S = Y = g(X 1 ,X 2 ), Z = 0, 
r = 2, Fx = Xx, F 2 = X 2 , Ro = 0, R 12 = 00 and R 21 = 00. 
It shows that a function Y = g(Xi,X2) can be generated 
securely at both terminals if H{Y) < I(Xx] X 2 ). Further if we 
have a preshared secret key at rate Rq, this condition reduces 
to H(Y) < I(Xx;X 2 )+R . 



Next, consider the special case of Y2 = and Yx = 
g(Xx,X2), i.e. only one terminal is interested in computing 
a function. As before assume Z = 0, r = 2, R12 = 00 and 
i?2i = 00. In this case we can choose Fx = and F% = X2. 
This gives us the constraint I(X2;Yx) < I(X2',Xx) + Rq. 
When Rq — we get a result already known from 0. 

Another special case is when H(Y2\Yx) = and Yx = 
g(Xx,X 2 ), i.e. the function computed by the second terminal 
is a function of the one computed by the first terminal. Further 
assume S = Yx, meaning that we would like to make sure that 
the eavesdropper learns nothing about Yx. As before we are 
not charging the public discussion, i.e. Rx2 — 00 and i?2i = 
00. Assume further that Rq = 0. It is shown in Corollary 
4 of H that secure computation is possible if and only if 
H(X 1 ,X 2 \Y 1 ) > H{X 2 \Xx) + H(Y 2 \X 2 ) + H{Xx\Yx,X 2 ). 
Observe that this condition is equivalent with 7(Xi;X 2 ) > 
I(X 2 Y 2 :Yx). To achieve it we can set Fx = 0, F 2 = X 2 , 
F 3 = Y 2 . 

Proof: We use the OSRB technique as above and create 
a single i.i.d. copy of (Ff, • • ■ , F™, XJ{. 2] , Yfa , Z n , S n ), as 
well as bin indices lu, Ki and Bi just as above. To impose 
the secrecy constraint, it suffices to ensure that (S n ,Z n ) 
is nearly independent of (Bi- r , Kx :r ), the public messages 
and the preshared randomness variables. This implies that 
for almost all choices of Bi- r = bx-. r , the mutual infor- 
mation I(S n ;Z n ,Kx:r\Bx:r = bx-.r) is asymptotically zero. 
To accomplish this we impose a stronger constraint that 
implies Bx :r , Ki- r and (S n ,Z n ) are asymptotically mutually 
independent. Using Thm. 1 of [6| (after removing redundant 
equations arising because the random variables we are binning 
are nested) we can write the condition as (see the full version 
for details 0): 

i 

J2(Rt + Rt) < H(F [1:i] \S, Z) V?: e [1 : r]. 

t=l 

The Reliability and Independence constraints would not 
change. Applying a Fourier-Mo tzkin elimination, we get the 
region given in the statement of the theorem. See [8 1 for tricks 
to do the elimination efficiently. ■ 

IV. Secure Channel Simulation And Secret Key 
Generation 

When Rx2 = R21 = 00, Z = and R = 0, Tyagi et 
al. have shown that secure computing of a common function 
Yx = Y2 = Y = g(Xx,X2) is possible if and only if 
H(Y) < I(Xx;X 2 ). The mutual information I(Xx;X 2 ) is 
the secret key capacity of the corresponding source model 
problem. Thus H{Y) cannot exceed 7(X 1 ;X 2 ) since Y itself 
can serve as a secret key. Thus the non-trivial part is the 
achievability part. The authors in [3| also show that the ter- 
minals can compute Y while simultaneously creating a secret 
key of rate I{Xx',X2) — H(Y) that is mutually independent 
of Y and the public discussion. Therefore the function can be 
augmented by a residual secret key to yield an optimal SK 
generation scheme. But what if Z is not a constant rv? The 
SK capacity is not known in this case. The best known lower 



bound is given in Q. Note that the public discussion was not 
charged in [7]. Thus it would be desirable to prove a theorem 
that unifies these results. 

In our work Alice and Bob generate Y\ and Y2 which are 
not necessarily equal. Let us first assume that Y\ = Y2 = 
Y . However unlike J3], rv Y is not necessarily a function of 
(Xx^X-i); the conditional pmf p[y\x\,X2) can be arbitrary. 
Setting S = Y guarantees that Eve does not learn about Y 
more than I(Y; Z). Thus, Alice and Bob can extract a secret 
key of rate H{Y\Z) (by taking a hash or random bin of their 
Y n sequences). In order to augment this key with an additional 
secret key, Alice and Bob use a code that enables them to 
simultaneously create a secret key T that is independent of 
Y n , Z n and the public discussion. In this case it is desirable 
to know if they can create a key of rate "secret key capacity 
minus H(Y\Zy\ 

But how about the general case of Y\ ^ Y2I Here we 
cannot use either Y\, Y 2 or an S as part of a secret key 
since neither is available at both parties. The natural extension 
is to imagine a fourth party, Charles, who is getting S n . 
Alice and Bob want to generate Yj" and Y 2 n while protecting 
Charles against Eve (by making sure that Eve does not learn 
anything new about S n ). Here Alice and Bob also create a 
secret key T that is secure against both Eve and Charles, i.e. 
I(T;S n ,Z n ,Ki,--- ,K r ) -> as n converges to infinity. 
In other words, we would like the key to be independent of 
S n ,Z" and the public discussion under a strong notion of 
secrecy. We use Rsk to denote the rate of the generated secret 
key. In the special case of S = Yy = Y2 = Y, this problem 
reduces to the one discussed in the above paragraph. 

Let us begin with the lower bound of J7): for any set of 
random variables Fi,F2, F r such that Fi — F\\-i-\\Xu\^ — 
ZX( i+ i} 2 form a Markov chain, and for any a G [1 : r], the 
secret key rate 

r 

^(l(F i] X ( i +1)a \F [l!i _ 1] )-I(F i ;Z\F [1 ^ l] )) = 

i—a 

I(Xi;X 2 \F[ 1 . a _ 1 }) - I(Xi;X 2 \F[ 1:r }) - I(F^. r y, Z\F^. a _xj) 

is achievable. The choice of a = 1 is the best choice in the 
lower bound when for any a' € [1 : r] 

a 

J2(m^ {i+ i h \F [1:i _ l] )-I(F r ,Z\F ll:i _ 1] ))>0, (9) 
1=1 

otherwise we can replace a = 1 with a' to get a strictly 
larger inner bound. To convey the ideas in the simplest way 
we restrict ourselves to the lower bound when the choice of 
a = 1 is optimal, and state the following theorem. A stronger 
version of this theorem can be found in (8). 

Theorem 3 Take an arbitrary rate tuple (Ro, R12, R21) for 
which there exists p(f[i: r ],X[i : 2],y[i : 2]i Z, s) such that equa- 
tions ©-(O, the Markov constraints given in (|7) and Eq. (0 
hold. Then a secret key of rate Rsk can be simultaneously 



created during the secure channel simulation protocol if 

r 

RSK < Rq+^^2 (A-^tj ^(i+l) 2 l^[l:i-l]) ~ Z S\F[ 1 . i _ 1 ])) 

1=1 

= Rq + I(X i; X 2 ) - I(X i; X 2 \F [1:r] ) - I(F [1:r] ;ZS). 

(10) 

Remark 3 When S = Y x = Y 2 = 0, R = and 
R12 = i?2i = 00 we get back the lower bound of frTj for 
the case of a = 1. Eq. dSJ reduces to (O in this case which 
is automatically satisfied when a — 1 is an optimal choice. In 
$8}/ we provide a complete generalization. 

Remark 4 When S = Y x = Y 2 = Y = g(X x , X 2 ) and R 12 = 
R21 = 00 we can set F\ = X\ and F 2 — X 2 to get achievable 
secret key rate [I(X 1 ;X 2 ) - I(XxX 2 ; Z)\ - H{Y\Z). When 
Z = we get I(Xi;X 2 ) — H{Y), indicating that this choice 
is optimal. However this choice for Fi,i G [1 : r] is not 
necessarily optimal when Z is not constant. 

Proof: We follow the same scheme as in the previous 
case, at the end of which we create T as the bin index of a 
random binning of F^. r ^ (with the number of bins equal to 
2 nRsK ). Since F^. r ^ is available to both parties at the end of 
the protocol, both parties can agree on T with high probability 
(see [8 1 for rigorous statements). Thus we need conditions that 
imply T is independent of (B[ 1:r ], K[ 1:r ], S n , Z n ). It suffices 
to make sure that T, S n , Z n and Sn. r i and K\\. r -\ are mutually 
independent. Using Thm. 1 of [ 6 1 (after removing redundant 
equations) we can write the conditions as (see the full version 
for details 0): 

r 

Rsk + Y,(Rt + Rt) < H{F [1:r] \S, Z), 
t—i 

a' 

J2(Rt + Rt)<H(F [1:i] \S,Z),Va' G [l:r]. 
t=i 

Applying a Fourier-Motzkin elimination, we get the Eq. ( TTOb as 
well as the following additional constraints for any a' G [1 : r] 

a 

i?o +Y, (J(*i;*« a l*[i:i-i]) ~I{F l ;ZS\F [1 .. l _ 1] )) > 0. 

i=l 

The above constraint is identical to the one given in Eq. ((H). 
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